search

caddyserver / caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
https://caddyserver.com
Apache License 2.0
58.71k stars 4.05k forks source link

Allow automatic use of Headscale certs? #5197

Open edgar-vincent opened 2 years ago

edgar-vincent commented 2 years ago

Hello,

The docs mention that Headscale, a libre implementation of the Headscale control server, can be used with Caddy. However, Caddy only automatically uses Tailscale for *.ts.net domains, which are specific to Tailscale services. Headscale users, on the other hand, obviously get to define their own domain name.

Would it be possible, for example, to be able to define the domain used by Headscale in Caddy's configuration, in order for it to use its TLS certificates automatically?

Thanks a lot!

EV

mholt commented 2 years ago

Yeah, I think we can do this. Not sure how yet, but most likely doable!

edgar-vincent commented 2 years ago

Thank you very much!

motiejus commented 1 year ago

Headscale or tailscaled would need to know how to nudge the DNS server to add the dns txt records for verification. This is hard, because everyone uses a different DNS server and API/process to change the records.

It works so easily with tailscale, because tailscale-the-company controls *.ts.net, tailscale control plane and tailscaled (the daemon on everyone's machine). They can easily couple everything and have just 1 combination of software to worry about. Tailscale offering https to their-controlled domain is not a coincidence. :)

Caddy asking for a cert is the icing. The hard part is getting the pieces to talk to each other.

I have implemented https for headscale domains. For the curious, here is a public domain bitwarden.jakstys.lt pointing to 100.<...> ip: https://git.jakstys.lt/motiejus/config/src/commit/d60677822f3e340c1f6a96533de432884e10bc77/data.nix#L170 and implementation: https://git.jakstys.lt/motiejus/config/src/commit/d60677822f3e340c1f6a96533de432884e10bc77/modules/services/nsd-acme/default.nix

I had to change my dns server from unbound to nsd to make it work, because I couldn't reliably update the zone from a shell script.

As you can see, it's convoluted. A better place to start for the adventurous would probably be headscale, not here. :).

(And the mention of headscale should probably removed from the caddy docs, since it's not fundamentally not possible today, not due to Caddy's fault).

francislavoie commented 1 year ago

@motiejus I don't use Tailscale nor Headscale so I'm not equipped to help much here, but it sounds like we need to integrate Caddy's DNS plugins to make this happen. I don't know what the triggers are here, but that does sound solvable.

teleclimber commented 2 weeks ago

Note that Headscale does not yet fetch certs to use with server over TLS but it probably will some day:

https://github.com/juanfont/headscale/issues/1921